The Road to Mediocrity

Google Docs has chosen to red-underline the word “feasible,” which, as you can see, is in its dictionary, to suggest “possible.” “Possible,” possibly, was not the word I selected, because it means something different.

Good writing is direct. Good writing respects the reader. Good writing doesn’t tax the reader accidentally. It uses simple words when possible, effectively utilizing, no wait, utilize means you’re attempting to make your writing sound fancier than it need be. Never use “utilize” when its feasible to say “use.”

Good writing tools are unobtrusive. They don’t randomize the writer away from what they’re working on to try to figure out why in holy hell it’s wrong to be using the word feasible and why it needs to be replaced.

The road to mediocre writing is paved with over-simplification and distraction.

My current go-to is Pinker’s The Sense of Style. What else helps you think about writing?

The Unanimous Declaration of the Thirteen United States of America

(Reading the declaration of independence is a useful reminder of why we chose to dissolve the political bands that connected us to another. It’s not about jingoism, or the results of a plebiscite, but about a “long train of abuses and usurpations, pursuing invariably the same Object,” and the proper response to such acts.)

In CONGRESS, July 4, 1776

The unanimous Declaration of the thirteen united States of America,

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

Continue reading

Passwords Advice

Bruce Marshall has put together a comparison of OWASP ASVS v3 and v4 password requirements: OWASP ASVS 3.0 & 4.0 Comparison. This is useful in and of itself, and is also the sort of thing that more standards bodies should do, by default.

It’s all too common to have a new standard come out without clear diffs. It’s all too common for new standards to build closely on other standards, without clearly saying what they’ve altered and why. This leaves the analysis of ‘what’s different’ to each user of the standards. It increases the probability of errors. Both drive cost and waste effort. We should judge standards on their delivery of these important contextual documents.

DNS Security

I’m happy to say that some new research by Jay Jacobs, Wade Baker, and myself is now available, thanks to the Global Cyber Alliance.

They asked us to look at the value of DNS security, such as when your DNS provider uses threat intel to block malicious sites. It’s surprising how effective it is for a tool that’s so easy to deploy. (Just point to a DNS server like 9.9.9.9).


The report is available from GCA’s site: Learn About How DNS Security Can Mitigate One-Third of Cyber Incidents

When security goes off the rails

New at Dark Reading, my When Security Goes Off the Rails, Cyber can learn a lot from the highly regulated world of rail travel. The most important lesson: the value of impartial analysis.

(As I watch the competing stories, “Baltimore City leaders blame NSA for ransomware attack,” and “N.S.A. Denies Its Cyberweapon Was Used in Baltimore Attack, Congressman Says,” I’d like to see an investigations capability that can give us facts.)

Polymorphic Warnings On My Mind

There’s a fascinating paper, “Tuning Out Security Warnings: A Longitudinal Examination Of Habituation Through Fmri, Eye Tracking, And Field Experiments.” (It came out about a year ago.)

The researchers examined what happens in people’s brains when they look at warnings, and they found that:

Research in the fields of information systems and human-computer interaction has shown that habituation—decreased response to repeated stimulation—is a serious threat to the effectiveness of security warnings. Although habituation is a neurobiological phenomenon that develops over time, past studies have only examined this problem cross-sectionally. Further, past studies have not examined how habituation influences actual security warning adherence in the field. For these reasons, the full extent of the problem of habituation is unknown.

We address these gaps by conducting two complementary longitudinal experiments. First, we performed an experiment collecting fMRI and eye-tracking data simultaneously to directly measure habituation to security warnings as it develops in the brain over a five-day workweek. Our results show not only a general decline of participants’ attention to warnings over time but also that attention recovers at least partially between workdays without exposure to the warnings. Further, we found that updating the appearance of a warning—that is, a polymorphic design—substantially reduced habituation of attention.

Second, we performed a three-week field experiment in which users were naturally exposed to privacy permission warnings as they installed apps on their mobile devices. Consistent with our fMRI results, users’ warning adherence substantially decreased over the three weeks. However, for users who received polymorphic permission warnings, adherence dropped at a substantially lower rate and remained high after three weeks, compared to users who received standard warnings. Together, these findings provide the most complete view yet of the problem of habituation to security warnings and demonstrate that polymorphic warnings can substantially improve adherence.

It’s not short, but it’s not hard reading. Worthwhile if you care about usable security.

Promoting Threat Modeling Work

Quick: are all the flowers the same species?

People regularly ask me to promote their threat modeling work, and I’m often happy to do so, even when I have questions about it. There are a few things I look at before I do, and I want to share some of those because I want to promote work that moves things forward, so we all benefit from it. Some of the things I look for include:

  • Specifics. If you have a new threat modeling approach, that’s great. Describe the steps concisely and crisply. (If I can’t find a list in your slide deck or paper, it’s not concise and crisp.) If you have a new variant on a building block or a new way to answer one of the four questions, be clear about that, so that those seeing your work can easily put it into context, and know what’s different. The four question framework makes this easy. For example, “this is an extension of ‘what are we working on,’ and you can use any method to answer the other questions.” Such a sentence makes it easy for those thinking of picking up your tool to put it immediately in context.
  • Names. Name your work. We don’t discuss Guido’s programming language with a strange dependence on whitespace, we discuss Python. For others to understand it, your work needs a name, not an adjective. There are at least half a dozen distinct ‘awesome’ ways to threat model being promoted today. Their promoters don’t make it easy to figure out what’s different from the many other awesome approaches. These descriptors also carry an implication that only they are awesome, and the rest, by elimination, must suck. Lastly, I don’t believe that anyone is promoting The Awesome Threat Modeling Method — if you are, I apologize, I was looking for an illustrative name that avoids calling anyone out.

    (Microsoft cast a pall over the development of threat modeling by having at least four different things labeled ‘the Microsoft approach to threat modeling.’ Those included DFD+STRIDE, Asset-entry, patterns and practices and TAM, and variations on each.) Also, we discuss Python 2 versus Python 3, not ‘the way Guido talked about Python in 2014 in that video that got taken off Youtube because it used walk-on music..’

  • Respect. Be respectful of the work others have done, and the approaches they use. Threat modeling is a very big tent, and what doesn’t work for you may well work for others. This doesn’t mean ‘never criticize,’ but it does mean don’t cast shade. It’s fine to say ‘Threat modeling an entire system at once doesn’t work in agile teams at west coast software companies.’ It’s even better to say ‘Writing misuse cases got an NPS of -50 and Elevation of Privilege scored 15 at the same 6 west coast companies founded in the last 5 years.’
    I won’t promote work that tears down other work for the sake of tearing it down, or that does so by saying either ‘this doesn’t work’ without specifics of the situation in which it didn’t work. Similarly, it’s fine to say “it took too long” if you say how long it took to do what steps, and, ideally, quantify ‘too long.’

I admit that I have failed at each of these in the past, and endeavor to do better. Specifics, labels, and respectful conversation help us understand the field of flowers.

What else should we do better as we improve the ways we tackle threat modeling?

Photo by Stephanie Krist on Unsplash.

Testing Building Blocks

There are a couple of new, short (4-page), interesting papers from a team at KU Leuven including:

What makes these interesting is that they are digging into better-formed building blocks of threat modeling, comparing them to requirements, and analyzing how they stack up.

The work is centered on threat modeling for privacy and data protection, but what they look at includes STRIDE, CAPEC and CWE. What makes this interesting is not just the results of the comparison, but that they compare and contrast between techniques (DFD variants vs CARiSMA extended; STRIDE vs CAPEC or OWASP). Comparing building blocks at a granular level allows us to ask the question “what went wrong in that threat modeling project” and tweak one part of it, rather than throwing out threat modeling, or trying to train people in an entire method.

Episode 9 Spoilers

Today is the last Star Wars Day before Episode 9 comes out, and brings the Skywalker saga to its end.

Film critics have long talked about how Star Wars is about Luke’s Hero’s Journey, or the core trilogy is about his relationship to his father, but they’re wrong. Also, I regularly say that Star Wars is fundamentally the story of information disclosure: from the opening shot of Princess Leia’s ship being pursued through the climatic destruction of the Death Star, it’s an information security metaphor. But I too am wrong.

Star Wars is a story of how power corrupts.

The prophecy, that someone will bring (or restore) balance to the Force, was never precisely stated in the films*. There were allusions: someone will restore balance to the Force. Variously, the one expected to do that was Anakin, and then Luke, and then everyone who’d heard of the prophecy was either its presumptive subject or dead. But the Force is not out of balance in a way that a Skywalker can fix. The Force is out of balance because of the Skywalkers, and it is only through the ending of their line that balance can be restored.

Justifying that claim requires some of the story from outside the movies. The story starts with a Sith, Darth Plagueis. He was interested in life extension by control of the Force. He was also master to Darth Sideous, who later became the Emperor.

The virgin birth of Anakin Skywalker was not just cheesy adaptation of Christian symbology, it was a massive head-fake that, without ever being explicit, got people treating Anakin as if he was supposed to be a savior figure, who died to answer for the sins of the world. But that’s not the reason for his fatherless birth.

It was the experiments Plagueis did which led to the creation of Anakin Skywalker and it was Plagueis who set the saga in motion. Those actions unbalanced the Force, and the prophecy speaks of one who will bring back the balance.

The extreme and exceptional power of the Skywalkers break both the Jedi and the Sith. This is a side effect of the Force being out of balance. The way to restore balance to the Force is to end them, and that is what Rey will do, by killing Kylo Ren, son of Leia Skywalker.

Star Wars is a story of how how power corrupts, and how heroic quests for justice can both restore the world, and cause tremendous damage along the way.

To the final film’s title, either it’s a final headfake, or a reference to Skywalker as a *title*, those who quest for justice in the galaxy.


* It was retconned last month; older versions are tracked in this Wiki.

Also, I want to acknowledge that Emily Asher-Perrin first put forth the explanation that Skywalker is a title, in her post “Hey, Star Wars: Episode IX — Don’t Retcon Rey Into a Skywalker.”

If you like this, I have plenty more geeky Star Wars content.

Navigation